2025's Cracked Crystal Ball
It's traditional to guess at what's going to happen in your field for the new year, so here goes: there will be breaches. Also other things.
2024 is all but up, and 2025 is just about to arrive. It is traditional as this happens for us to all whip out our prognostications for the coming year. Aside from being confident the Bears won't be winning the Superbowl, I'm going to focus on cybersecurity predictions for 2025.
Now Nostradomus I am not, but I think I can offer up a few reasonable predictions. Let's start with the obvious.
There Will Be More Breaches
Yes, I'm starting small. Nothing significantly changed in 2023 that would significantly impact the ransomware and other attack equation in favor of companies and governments on defense. Frankly, until there is unilateral international cooperation on holding the malicious actors behind these attacks responsible and prosecuting them under the law, the equation won't change much in the near future.
Insurance Companies Will Exert Significantly More Power Over Corporate Cybersecurity
Thus far we haven't had a way to quantify cybersecurity capabilities, quality, or preparedness. Enter the insurance companies. After the beginning of the ransomware era too them by surprise, the industry has found a model that seems to be working for them. Just as they've had a significant impact on things like car safety and home safety, I believe 2025 will be the year that they ramp-up their influence on cybersecurity controls, requirements, and capabilities. We'll also start seeing wider partnership between insurers and security solution providers.
AI Will Continue To Be AI
The market hype around AI will continue to make cybersecurity buyers wary, but the fact of the matter is that AI has been with us in cybersecurity for years, and is providing value daily as it is.
Generalized GenAI will continue to be as bad as the data used to train it, but we have to keep in mind that AI comes in a number of different flavors and functions, and when a data set is well defined and well managed, GenAI isn't quite so bad - at least it doesn't recommend putting glue on pizza.
Emergence of Domain Solutions
Cybersecurity technology continues to be an ecosystem of two extremes: the large companies which offer ever possible technology with the (often incorrect) assumption of strong interoperability, and the "best of breed" point solutions. I think over the next couple of years we will start to see the emergence of a third group: domain solutions. What I mean by that is solutions that address an full domain of capabilities with well integrated platforms. The domains may overlap, but I see space for domain solutions for addressing production environment security, on premise security, "office" security, and others. This has the potential to reduce the ridiculous number of security related tools a typical enterprise deploys, smooth interoperability between groups of tools, and put a dent in the "on stop shop" technology companies who are still scrambling to truly integrate tech they added to their line cards 5 years ago. This has the potential to really help out smaller businesses as well, giving them a handful of quality security technology partners - or MSSP's who have standardized on a handful of technologies and are therefore better able to operate them all on behalf of their customers.
US Cyber Regulation Will Continue to be a Fragmented Mess
Every state and every territory has their own privacy law. Most states have their own cybersecurity laws. There are several different federal agencies all with authority over cybersecurity in some form or another - some by industry (Health and Human Services has HIPAA, etc.) and others through other focus, such as regulating the public trading of stocks and the providing protection for consumers. Any hopes of a singular agency such as CISA having complete responsibility over some coordinated regulatory function is still years off.
A Smudge On the Crystal Ball?
Yes, some of these are gimme's in terms of predictions. Others may be real stretches. What I do know is that what we're doing today isn't good enough, and because of that will continue to evolve. Regulation, insurance, AI, and cost will continue to be major influences, often at odds with each other, and that's what this set of predictions is really all about.
Now if you'll excuse me, I need to see if I can fill those cracks in my crystal and polish it up before I need it for next year.